It has emerged that WordPress websites that haven't been updated with the most recent version, v4.7.2, released in early February 2017, are under attack. Various hacking groups are conducting mass defacement campaigns on sites that haven't been updated according to web security firm Sucuri.
Credit: WordPress Exploit Attempts | Sucuri
Sucuri has reported that they “detected the attacks after details of the vulnerability became public last Monday, the attacks have been slowly growing, reaching almost 3,000 defacements per day”.
On 01 February 2017, WordPress made a statement which revealed that version 4.7.2 of the CMS included a fix for an undisclosed critical vulnerability.
"While working on WordPress, we discovered a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site."Marc Alexandre Montpas, Vulnerability Researcher at Sucuri
The hacking groups are exploiting a vulnerability in the WordPress REST API, which the WordPress team fixed in January 2017 but it appears the fix also has an exploitable bug.
How it works is that the vulnerability allows a remote attacker to create an HTTP request that pings a REST API endpoint and alters titles and content on the user's website.
"One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site." Sucuri's Montpas explained.
The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. It is advised that if your website is on these versions of WordPress you are likely vulnerable to the bug and should upgrade to version 4.7.2.